What is Internal Control Review?

Published July 17, 2020 • 3 min read

An internal control review is an overall assessment of an organization’s internal control system across each business area to determine if it’s functioning as intended and if it’s able to manage the risks that the company may face in its day-to-day operations.

An internal control review provides company leaders with assurance about the effectiveness of its internal control environment. Internal controls protect a company from financial loss as well as help the organization maintain reliable financial reporting and operate more efficiently and securely. 

The best way for a company to ensure that it’s internal control system is operating efficiently is with an internal control review. An internal control review highlights vulnerabilities in a company’s internal control environment and identifies processes that can be strengthened. 

What does evaluating internal controls involve?

An internal control review typically tests whether the internal controls are working as designed. Evaluating internal controls involves:

  • Identifying the internal control objectives relevant to the company.
  • Reviewing the applicable policies and procedures and the documentation standards for each of them.
  • Discussing the internal controls with the appropriate stakeholders.
  • Observing the control environment.
  • Testing transactions as appropriate.
  • Sharing findings, concerns, and recommendations with senior management and/or the board of directors.
  • Determining that the company has taken corrective action on identified vulnerabilities in a timely manner.

Effective internal controls are an organization’s first line of defense to protect its assets, prevent and detect errors, and mitigate risk. Internal controls allow a company to proactively evaluate and monitor its programs to eliminate deficiencies in a timely manner.

An internal control review analyst performs an internal control review to determine if there are any internal control deficiencies in a company’s internal control system and provides recommendations to improve or strengthen the internal controls. 

According to the framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), the five  components of internal control are:

  1. Control environment: Involves the company’s attitude about internal controls. This is the foundation for all the other internal control components.  The board of directors and senior management establish the tone at the top regarding the importance of internal control and expected standards of conduct.  
  2. Risk assessment: Includes identifying and analyzing a company’s risks and forms the basis for how the risks should be managed.
  3. Control activities: Actions established by the policies and procedures that help ensure management directives are carried out.  Control activities are performed at all levels of the entity and at various stages within business processes, and over the technology environment.
  4. Information and communication: Systems or processes that support identifying, capturing, and exchanging information that allows people to carry out their duties.
  5. Reporting and monitoring: Processes that identify, monitor, and report on the quality of the internal controls. 

Developing an effective internal control system involves establishing:

  • Policies and procedures, including organizational structure, job descriptions, authorization matrix;
  • Segregation of duties and responsibilities;
  • Authorization and approval process;
  • Performance monitoring and control procedures;
  • Safeguarding assets, completeness, and accuracy;
  • Manpower management;
  • Independent internal audit function;
  • Regulatory compliance and risk management.

An internal control review is beneficial because it encourages compliance with the company’s internal control policies and procedures. It also improves the effectiveness and efficiency of operations. 

In addition, an internal control review confirms the reliability of an organization’s financial reporting and ensures compliance with applicable laws and regulations. It also identifies and prevents errors and irregularities in a timely manner and provides senior management with a thorough understanding of the company’s internal control methods.

A strong internal control environment is key to ensuring that an organization continues to thrive. An internal control review helps identify potential weaknesses in a company’s internal controls and provides practical recommendations to improve the internal controls and reduce risk.

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

Help us get to know you.

Get a demo